Risk angles Five questions on reputation risk This edition of our Risk Angles series looks at the challenges and impacts associated with reputation risk. We also explore strategies organisations have put in place to manage reputation risk. A manufacturer’s sales representatives are accused of bribing foreign officials to gain business. A credit card breach at a retailer threatens consumers’ personal data. A corporate headquarters’ relocation is characterised in the media as a tax avoidance move. Each of these risk scenarios poses a reputation risk for the company involved. And in each case, the reputation risk is a by-product of another business risk — ethics, security, tax. Understanding the interconnectivity of reputation risk is essential to staying ahead of this critical issue. Henry Ristuccia, global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited (DTTL), discusses the growing threat of reputation risk and the steps leading companies are taking to address it. Interview with Henry Ristuccia: Global leader, Governance, Risk and Compliance Services Question Henry’s take Why is reputation risk a top strategic concern? Reputation risk is evolving. It is a strategic concern because it is connected to and magnified by other business risks. According to a recent DTTL survey, Reputation@Risk, the most prevalent drivers of reputation risk are risks related to ethics and integrity, physical and cyber security, and products and services. Third-party relationship risk is also rapidly emerging, as companies are increasingly being held accountable for the actions of vendors, brokers, and similar associates. So as those risks proliferate, reputation risk heightens as well. Reputation risk keeps business leaders up at night because it is a meta risk. It can originate and spread from inside and outside the organisation, at an alarming speed. The executives interviewed in the global survey expressed the inherent challenges in this situation. For example, perceptions can vary from geography to geography, so an issue or event may not pose a threat in one locale, but may trigger a worldwide media frenzy in another with very real consequence to reputation. Adding to the concern is that some of these risks are beyond the company’s direct control. Respondents to the survey were less confident about managing risks from third-party/extended enterprise issues, competitive attacks, and hazards or other catastrophes than about managing risks they can control internally, such as those related to regulatory compliance or employee misconduct. Question Henry’s take How is this concern over reputation risk being reflected in organisations? Certainly the potential for damage from a negative reputation event is real and can take many forms, from loss of brand confidence to impact on revenue/earnings to closer scrutiny from regulators. But there is also opportunity to benefit from how a reputation event is handled, both to mitigate its immediate effect and to gain long-term insight to better respond to — or better yet, prevent — future events. For the survey participants, crisis management is a key area for investment. True crises — catastrophic mega events or a series of escalating events that threaten an organisation’s strategic objectives, reputation, or viability — are an ever-present danger. They test a company’s values, leadership, and character at a time when there is no room for error. Crisis management involves identifying and preparing for these risks so companies can hit the ground running, using tools and techniques such as crisis simulations, monitoring, risk sensing, and rapid response and communications teams. Developing processes and investing in tools to monitor the landscape is also a way companies can get ahead of reputation risk. Another area of opportunity is scenario planning — more than one-third of the surveyed companies do not do “what if” scenarios, which can be extremely helpful in addressing risk strategically. What are some other ways companies are managing reputation risk? Companies at the leading edge of managing reputational risk are finding ways to link strategy and innovation with their risk management programs and identify where the next disruption could arise. They are using data analytics to gather and help interpret market intelligence to identify threats to their reputation. And they are readying their leaders and the organisation to respond and recover in the event of a crisis. Monitoring and managing stakeholder expectations are an ongoing effort. Reputation risk occurs when performance does not match expectations, so you have to understand what stakeholders (customers, regulators, shareholders, and employees) expect — and realise that those expectations tend to evolve over time. Companies are using external analysts and data sources to supplement their internal observations from, say, marketing and HR. A South African perspective South African companies consistently rated reputational risk as the number one strategic risk. Key local contributing factors including the increased level of customer activism driven by social media and the greater scrutiny by local and global markets. Organisations have to be more responsive in addressing risks that have a potential reputational impact as the speed of onset of these risks materialising has significantly increased. On a positive note, some organisations have begun taking advantage of greater transparency by building brand and reputation through more regular engagement with stakeholders through social media and more traditional channels. A closer look: Unravelling reputation risk By Marc Duchevet and Hervé Phaure A lingering challenge that many organisations face is that they approach reputation risk reactively. You do not want to wait for a reputation risk to occur and then scramble to respond. Leading companies address reputation risk as an ongoing strategic issue, recognising that managing reputation risk requires constant vigilance. Ultimately, how a company manages the expectations and performance related to its reputation determines whether value is created or destroyed. As a first step, it is critical to define the homogeneity of the organisation’s business units regarding reputational risk. This analysis considers the structure of each group, existing brands, types of product, and geography in order to determine whether reputation risk is confined to a particular business unit independently or is a potential contagion that could affect the business. Then, the process of understanding potential losses begins by analysing the risk exposure and vulnerability of key stakeholder groups, for instance — direct and indirect customers; public authorities and regulators; senior executives; employees; shareholders/ investors; and media/analysts. The aim is to determine each stakeholder group’s capacity and willingness to act on reputation issues in a way that negatively impacts the company or threatens its business model. For example, if a negative event occurs around a particular product, what is the risk that customers could boycott the product and turn to a competitor’s product instead (i.e., do customers have the capacity to act on a negative issue)? And second, how likely are they to take that action (i.e., are they sensitive enough to reputation issues to be willing to boycott or switch)? If the product has no real competitors or is seen as a necessity by customers, customers may have neither the capacity nor willingness to take action, in which case an image problem does not pose significant reputational risk. Understanding the sensitivities of key stakeholders also helps guide crisis management. One of the questions that arises when dealing with a reputation-related issue is what kind of communication to deploy, in what media, with what objective, and with what frequency. If you know that a certain stakeholder is not that sensitive to the negative event, or that there is no potential contagion from one stakeholder to another or one product to another, you can conclude that there is no real value in spending a lot of money communicating to these people when a reputational issue occurs. Reputation risk and other types of strategic risk that might significantly affect an organisation’s business model are often addressed in agency rating analyses under the scope of “business risks.” Knowledge of credit methodologies as well as operational risk can be a key to developing an effective modelling approach. For more information, contact: South Africa Dave Kennedy Managing Director, Risk Advisory, Africa Igna Gray Director: Risk Advisory Tel: +27 11 806 5340 Email: [email protected] (Pretoria) Tel: +27 12 482 0096 Email: [email protected] Pramesh Bhana Africa Leader: Risk Advisory, Governance, Risk and Oversight Sisa Ntlango Associate Director: Risk Advisory (Johannesburg) Tel: +27 11 806 5386 Email: [email protected] (East London) Tel: +27 43 783 4006 Email: [email protected] Nina le Riche Africa Director: Risk Advisory (Cape Town) Graham Dawes Tel: +27 21 427 5669 Email: [email protected] Leader: Risk Advisory, Rest of Africa Tel: +254(0)719892209 Email: [email protected] Zama Dlamini Director: Risk Advisory (KwaZulu-Natal) Tel: +27 31 560 7177 Email: [email protected] Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 200,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2015. For information, contact Deloitte Touche Tohmatsu Limited.
© Copyright 2024